---
title: What's coming up?
course: human_hacking
section: "Introduction"
layout: lesson
---

This course is designed to cover all aspects, tools and skills used by
professional and malicious social engineers. Each chapter delves deep into the
science and art of a specific social engineering skill to show you how it can be
used, enhanced and perfected.

The next lesson of this chapter, "_Overview of Social Engineering_", defines
social engineering and what roles it plays in society today, as well as the
different types of social engineering attacks, including other areas of life
where social engineering is used in a non-malicious way. I will also discuss how
a social engineer can use the social engineering framework in planning an audit
or enhancing his own skills.

Section 2 is where the real meat of the lessons begins. Information gathering is
the foundation of every social engineering audit. The social engineer's mantra
is, "_I am only as good as the information I gather_". A social engineer can
possess all the skills in the world, but if he or she doesn't know about the
target, if the social engineer hasn't outlined every intimate detail, then the
chance of failure is more likely to occur. Information gathering is the crux of
every social engineering engagement, although people skills and the ability to
think on your feet can help you to get out of a sticky situation. More often
than not, the more information you gather, the more better your chances of
success.

These questions will be answered in the following section:

* What sources can a social engineer use?

* What information is useful?

* How can a good social engineer collect, gather and organise this information?

* How technical should a social engineer get?

* How much information is enough?

After the analisation of information gathering, the next topic addressed in
section 2 is comunication modeling. This topic closely ties in with information
gathering. First, I will discuss what communication modeling is and how it began
as a practise. Then, the chapter walks through the steps needed to develop and
then use a proper communication model. It outlines how a social engineer uses
this model against a target and the benefits in outlining it for every
engagement.

Section 3 covers elicitation, the next logical step in the framework. It offers
a very in-depth look into how questions are used to gain information, passwords,
in-depth knowledge of the target and his or her company. You will learn what is
good an proper elicitation and learn how important it is to have your
elicitations planned out.

Section 3 also covers the important topic of preloading the target's mind with
information to make your questions more readily accepted. As you unravel this
section, you will clearly see how important it is to become an excellent
elicitor. You will also clearly see how you can use that skill not just in your
security practises but in daily life.

Section 4, which covers pretexting is powerful. This heavy topic is one of the
critical points for many social engineers. Pretexting involves developing the
role the social engineer will play for the attack on the company. Will the
social engineer be a customer, vendor, tech support, new hire or something
equally realistic and believable? Pretexting involves not just coming up with
the storyline but also developing the way your persona would look, act, talk,
walk; deciding what tools and knowledge they would have; and then, mastering the
entire package so when you approach the target, you _are_ that person and not
simply playing a character. The questions covered include the following:

* What is pretexting?

* How do you develop a pretext?

* What are the principles of a successful pretext?

* How can a social engineer plan and then execute a perfect pretext?

The next step in this course in one that can fill volumes. Yet it must be
discussed from the viewpoint of a social engineer. Section 5 is a
no-holds-barred discussion on some very confrontational topics, including that
of _eye cues_. For example, what are the varying options of some professionals
about eye cues and how can a social engineer use them?. The section also delves
into the fascinating science of microexpressions and its implications on social
engineering.

Section 5 goes on analysing the research, yielding answers to these questions:

* Is it possible to use microexpressions in the field of security?

* How would you do so?

* What benefit are microexpressions?

* Can people train themselves to learn how to pick up on microexpressions
  automatically?

* After we do the training, what information is obtained through
  microexpressions?

Probably one of the most debated-on topics in Section 5 is _neurolinguistic
programming_ (_NLP_). The debate has many people undecided on what it is and how
it can be used. Section 5 presents a brief history of NLP as well as what makes
NLP such a controversy. You can decide for your whether NLP is usable in social
engineering.

Section 5 also discusses one of the most important aspects of social engineering
in person or on the phone: Knowing how to ask good questions, listen to
responses and then ask more questions. Interrogation and interviewing are two
methods that law enforcement has used for years to manipulate criminals to
confess as well as to solve the hardest cases. This part of section 5 puts to
practical use the knowledge you gained in section 3.

In addition, Section 5 discusses how to build instant rapport - _a skill you can
use in everyday life_. The chapter ends by convering my own personal research
into "_the human buffer overflow_": the notion that the human mind is much like
the software that hackers exploit every day. BY applying certain principles, a
skilled social engineer can overflow the human mind and inject any command they
want.

Just like hackers write overflows to manipulate software to execute code, the
human mind can be given certain instructions to, in essence, "_overflow_" the
target and insert custom instructions. Section 5 is a mind-blowing lesson in how
to use some simple techniques to master how people think.

Many people have spent their lives researching and proving what can and does
influence people. Influence is a powerful tool with many facets to it. To this
end, section 6 discusses the fundamentals of persuasion. The principles engaged
in Section 6 will start you on the road toward becoming a master of persuasion.

The chapter presents a brief discussion of the different types of persuasion
that exist and provides examples to help solidify how you can use these factes
in social engineering.

The discussion doesn't stop there - _framing is also a hot topic nowadays_. Many
different opinions exist on how one can use framing and this course shows some
real-life examples of it. Then, dissecting each, I take you to the lessons
learned and things you can do to practise reframing yourself as well as use
framing in everyday life as a social engineer.

Another overwhelming theme in social engineering is _manipulation_:

* What is its purpose?

* What kinds of incentives drive manipulators?

* How can a person use it in social engineering?

Section 6 presents what a social engineer needs to know on the topic of
manipulation and how to successfully apply such skills.

Section 7 covers the tools that can make a social engineering audit more
successful. From physical tools such as hidden cameras to software-driven
information gathering tools, each section covers tested-and-tried tools for
social engineers.

Once you understand the social engineering framework, Section 8 discusses some
real-life case studies. I have chosen two excellent accounts from the world-renowed
social engineer _Kevin Mitnick_. I analyse, dissect and then, propose what you
can learn from these examples and identify the methods he used from the social
engineering framework. Moreover, I discuss what can be learn from his attack
vectors as well as how they can be used today. I discuss some personal accounts
and dissect them, as well.

What social engineering guide would be complete without discussing some of the
wats you can mitigate these attacks? The appendix provide this information. I
answer some common questions on mitigation and give some excellent tips to help
secure you and your organisation against these malicious attacks.
